Re: Not getting Reply-items from Ldap..

On Wed, 9 Mar 2005, Girish Tyagi wrote:

> Hello,
>
> I have configured FreeRadius-1.0.2 on my Redhat linux and
> Authorization and Authentication is being done through OpenLdap
> server.
> I am able to do both Authorization and Authentication successfully from
> my Radius Server but ,I don't get reply-item from the server. I am running
> my server with (radiusd -X) option.
>
> @ I run this command from my system: @
>
> # radtest linux linux localhost 0 testing123
>
> @output I get is :@
>
> Sending Access-Request of id 153 to 127.0.0.1:1812
> User-Name = "linux"
> User-Password = "linux"
> NAS-IP-Address = dns.hclinfinet.net
> NAS-Port = 0
> rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=153, length=20
>
>
> @ Radiusd -X output gives :@
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1:32961, id=153, length=57
> User-Name = "linux"
> User-Password = "linux"
> NAS-IP-Address = 255.255.255.255
> NAS-Port = 0
> rad_lowerpair: User-Name now 'linux'
> rad_rmspace_pair: User-Name now 'linux'
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> rlm_realm: No '@' in User-Name = "linux", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for linux
> radius_xlat: '(uid=linux)(objectclass=radiusprofile)'
> radius_xlat: 'ou=users,ou=radius,o=hclinfinet'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to localhost:389, authentication 0
> rlm_ldap: bind as
> cn=freeradius,ou=admins,ou=radius,o=hclinfinet/freeradius to

Does cn=freeradius,ou=admins,ou=radius,o=hclinfinet have access to the radius
ldap attributes of your users? Perform the exact same ldap search through a tool
like ldapsearch and see what happens.

> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in ou=users,ou=radius,o=hclinfinet, with
> filter (uid=linux)(objectclass=radiusprofile)
> rlm_ldap: looking for check items in directory...
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user linux authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 0
> modcall: group authorize returns ok for request 0
> rad_check_password: Found Auth-Type LDAP
> auth: type "LDAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authtype for request 0
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "linux" with password "linux"
> rlm_ldap: user DN: uid=linux,ou=users,ou=radius,o=hclinfinet
> rlm_ldap: (re)connect to localhost:389, authentication 1
> rlm_ldap: bind as uid=linux,ou=users,ou=radius,o=hclinfinet/linux to
> localhost:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: user linux authenticated succesfully
> modcall[authenticate]: module "ldap" returns ok for request 0
> modcall: group authtype returns ok for request 0
> Sending Access-Accept of id 153 to 127.0.0.1:32961
> Finished request 0
> Going to the next request
>
> @ ldif file for linux user is :@
>
> dn: uid=linux,ou=users,ou=radius,o=hclinfinet
> objectclass: radiusProfile
> uid: linux
> userPassword: linux
> radiusServiceType: Framed-User
> radiusFramedProtocol: PPP
> radiusFramedIPAddress: 10.0.0.1
> radiusFramedIPNetmask: 255.255.255.0
> radiusFramedRoute: Broadcast-Listen
> radiusFilterId: "std.ppp"
> radiusFramedMTU: 1500
> radiusFramedCompression: Van-Jacobsen-TCP-IP
> cn: linux
>
> @ radius.conf :@
>
> authorize {
> preprocess
> suffix
> ldap
> }
> authenticate {
> authtype LDAP {
> ldap
> }
> }
>
>
>
> But if i use files in authorize section instead of ldap, and Auth-type=Local
> , and configure the reply-item in users file then I get the reply Items .
>
> ldap.attrmap is having Radius to ldap items mapping. like.
>
> checkItem $GENERIC$ radiusCheckItem
> replyItem $GENERIC$ radiusReplyItem
>
> checkItem Auth-Type radiusAuthType
> checkItem Simultaneous-Use radiusSimultaneousUse
> checkItem Called-Station-Id radiusCalledStationId
> checkItem Calling-Station-Id radiusCallingStationId
> checkItem LM-Password lmPassword
> checkItem NT-Password ntPassword
> checkItem SMB-Account-CTRL-TEXT acctFlags
> checkItem Expiration radiusExpiration
>
> replyItem Service-Type radiusServiceType
> replyItem Framed-Protocol radiusFramedProtocol
> replyItem Framed-IP-Address radiusFramedIPAddress
> replyItem Framed-IP-Netmask radiusFramedIPNetmask
> replyItem Framed-Route radiusFramedRoute
>
> etc...
>
>
> Pls guide me where I m doing mistake..
>
> Thanks,
> Girish
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Kostas Kalevras Network Operations Center
kkalev@noc.ntua.gr National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html